SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins

If SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins, amend the policy.

Symptoms

SSH sessions and automated CRON jobs that log in to your Oracle database through SQLPLUS and RMAN with /as sysdba show as failed logins.

Causes

Oracle responds to these logins with the following error on such attempts, even if it is not shown on the screen.

ORA-01-17: invalid username/password; logon denied.

This error triggers the failed login alert. For example, if the database user WRONGLOGIN is a member of the DBA group, and logs as sqlplus WRONGLOGIN as sysdba, the database authentication of WRONGLOGIN fails. This failure causes the ORA-01-17 error alert to trigger and is reflected in the Guardium log. However, users with sysdba privileges can connect to the database without database authentication so the session is allowed to continue. Both events are captured and recorded.

Environment

Guardium collectors are affected.

Resolving the problem

You can amend the policy to include an allow action before the rule that alerts about failed logins. Create an exception rule in the policy with the following conditions.

Client IP=<Server IP>
Source program = SQLPLUS
DB user in trusted group
OS user in group of Oracle DBAs
Net protocol = BEQUEATH (if local BEQUEATH, not TCP)

This rule skips the failed login alerts that are caused by the ORA-01-17 error but are still logged. To filter the failed login alerts out of the reports, add these conditions to the end of the conditions list:

AND
	(
    client IP<>server IP OR
    src prg <> SQLPLUS OR
    db user NOT IN group of trusted OR
    os user NOT IN group of oracle DBAs OR
    net protocol <>BEQUEATH (if this is local BEQUEATH, not TCP )
   )